[22 March update: Amazon has appealed] The 🇫🇷 CNIL fined Amazon for excessively intrusive monitoring, using several illegal indicators and unsecure video surveillance software, without sufficiently informing employees and visitors.
This case is not only a goldmine for DPOs in the Swedish healthcare sector (although particularly so), but DPOs in general, for assessing roles, legal bases and processor liability.
Unauthorised disclosure or access doesn't equate to inadequate measures, but must be proven to prevent damages claims. National courts must assess your case concretely and cannot systematically rely on expert reports. Mere fear 😱 = non-material damages (but must be proven by the data subject).